Add flag to set the destination zones (#11)

* Add flag to set the destination zones

* Update version to v0.6.5

Makefile

@@ -1,6 +1,6 @@
 VERSION_MAJOR ?= 0
 VERSION_MINOR ?= 6
-VERSION_BUILD ?= 4
+VERSION_BUILD ?= 5
 VERSION ?= v$(VERSION_MAJOR).$(VERSION_MINOR).$(VERSION_BUILD)
 
 GOOS ?= $(shell go env GOOS)

cmd/main.go

@@ -13,19 +13,21 @@ import (
 )
 
 var (
-	kubeconfig string
-	namespaces []string
-	services   []string
-	retry      int
-	logSetting string
-	group      string
-	ver        bool
+	kubeconfig       string
+	namespaces       []string
+	services         []string
+	destinationZones []string
+	retry            int
+	logSetting       string
+	group            string
+	ver              bool
 )
 
 func parserFlags() {
 	flag.StringVarP(&kubeconfig, "kubeconfig", "", "", "Absolute path to the kubeconfig file.")
 	flag.StringSliceVarP(&namespaces, "ignore-namespaces", "", nil, "Set ignore namespaces for Kubernetes service.")
 	flag.StringSliceVarP(&services, "services", "", []string{"k8s-tcp", "k8s-udp"}, "The security policies service objects.")
+	flag.StringSliceVarP(&destinationZones, "destination-zones", "", []string{"AI public service network"}, "Public destination zones.")
 	flag.IntVarP(&retry, "retry", "", 5, "Number of retry for PA failed job.")
 	flag.StringVarP(&logSetting, "log-setting", "", "", "The security policies log-setting name.")
 	flag.StringVarP(&group, "group", "", "", "The security policies group name.")
@@ -48,6 +50,7 @@ func main() {
 	conf := &config.OperatorConfig{
 		Kubeconfig:       kubeconfig,
 		IgnoreNamespaces: namespaces,
+		DestinationZones: destinationZones,
 		Retry:            retry,
 		Services:         services,
 		GroupName:        group,

deploy/deployment.yml

@@ -22,7 +22,7 @@ spec:
       serviceAccountName: pa-svc-syncker
       containers:
       - name: pa-svc-syncker
-        image: inwinstack/pa-svc-syncker:v0.6.4
+        image: inwinstack/pa-svc-syncker:v0.6.5
         args:
         - --v=2
         - --logtostderr=true

pkg/config/types.go

@@ -20,6 +20,7 @@ type OperatorConfig struct {
 	Kubeconfig       string
 	IgnoreNamespaces []string
 	Services         []string
+	DestinationZones []string
 	Retry            int
 	LogSettingName   string
 	GroupName        string

pkg/k8sutil/security.go

@@ -23,39 +23,48 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
-func newSecurity(name, addr, log, group string, services []string, svc *v1.Service) *inwinv1.Security {
+type SecurityParameter struct {
+	Name             string
+	Address          string
+	Log              string
+	Group            string
+	Services         []string
+	DestinationZones []string
+}
+
+func newSecurity(para *SecurityParameter, svc *v1.Service) *inwinv1.Security {
 	return &inwinv1.Security{
 		ObjectMeta: metav1.ObjectMeta{
-			Name:      name,
+			Name:      para.Name,
 			Namespace: svc.Namespace,
 		},
 		Spec: inwinv1.SecuritySpec{
 			SourceZones:                     []string{"untrust"},
 			SourceAddresses:                 []string{"any"},
 			SourceUsers:                     []string{"any"},
 			HipProfiles:                     []string{"any"},
-			DestinationZones:                []string{"AI public service network"},
-			DestinationAddresses:            []string{addr},
+			DestinationZones:                para.DestinationZones,
+			DestinationAddresses:            []string{para.Address},
 			Applications:                    []string{"any"},
-			Services:                        services,
+			Services:                        para.Services,
 			Categories:                      []string{"any"},
 			Action:                          "allow",
 			IcmpUnreachable:                 false,
 			DisableServerResponseInspection: false,
 			LogEnd:                          true,
-			LogSetting:                      log,
-			Group:                           group,
+			LogSetting:                      para.Log,
+			Group:                           para.Group,
 			Description:                     "Auto sync Security for Kubernetes.",
 		},
 	}
 }
 
-func CreateSecurity(c clientset.Interface, name, addr, log, group string, services []string, svc *v1.Service) error {
-	if _, err := c.InwinstackV1().Securities(svc.Namespace).Get(name, metav1.GetOptions{}); err == nil {
+func CreateSecurity(c clientset.Interface, para *SecurityParameter, svc *v1.Service) error {
+	if _, err := c.InwinstackV1().Securities(svc.Namespace).Get(para.Name, metav1.GetOptions{}); err == nil {
 		return nil
 	}
 
-	newSec := newSecurity(name, addr, log, group, services, svc)
+	newSec := newSecurity(para, svc)
 	if _, err := c.InwinstackV1().Securities(svc.Namespace).Create(newSec); err != nil {
 		return err
 	}

pkg/k8sutil/security_test.go

@@ -34,11 +34,20 @@ func TestSecurity(t *testing.T) {
 	}
 
 	client := fake.NewSimpleClientset()
-	assert.Nil(t, CreateSecurity(client, "test-sec", "140.11.22.33", "", "", []string{"k8s-tcp"}, svc))
+	para := &SecurityParameter{
+		Name:             "test-sec",
+		Address:          "140.11.22.33",
+		Log:              "",
+		Group:            "",
+		Services:         []string{"k8s-tcp"},
+		DestinationZones: []string{"AI public service network"},
+	}
+	assert.Nil(t, CreateSecurity(client, para, svc))
 
-	sec, err := client.InwinstackV1().Securities(svc.Namespace).Get("test-sec", metav1.GetOptions{})
+	sec, err := client.InwinstackV1().Securities(svc.Namespace).Get(para.Name, metav1.GetOptions{})
 	assert.Nil(t, err)
-	assert.Equal(t, "140.11.22.33", sec.Spec.DestinationAddresses[0])
-	assert.Equal(t, []string{"k8s-tcp"}, sec.Spec.Services)
-	assert.Nil(t, DeleteSecurity(client, "test-sec", svc.Namespace))
+	assert.Equal(t, para.Address, sec.Spec.DestinationAddresses[0])
+	assert.Equal(t, para.Services, sec.Spec.Services)
+	assert.Equal(t, para.DestinationZones, sec.Spec.DestinationZones)
+	assert.Nil(t, DeleteSecurity(client, para.Name, svc.Namespace))
 }

pkg/operator/service/controller.go

@@ -178,10 +178,16 @@ func (c *ServiceController) syncNAT(svc *v1.Service, addr string) {
 // Sync the PA Security policies
 func (c *ServiceController) syncSecurity(svc *v1.Service, addr string) {
 	name := fmt.Sprintf("k8s-%s", addr)
-	log := c.conf.LogSettingName
-	group := c.conf.GroupName
-	services := c.conf.Services
-	if err := k8sutil.CreateSecurity(c.client, name, addr, log, group, services, svc); err != nil {
+
+	secPara := &k8sutil.SecurityParameter{
+		Name:             name,
+		Address:          addr,
+		Log:              c.conf.LogSettingName,
+		Group:            c.conf.GroupName,
+		Services:         c.conf.Services,
+		DestinationZones: c.conf.DestinationZones,
+	}
+	if err := k8sutil.CreateSecurity(c.client, secPara, svc); err != nil {
 		glog.Warningf("Failed to create and update Security resource: %+v.", err)
 	}
 }

pkg/operator/service/controller_test.go

@@ -92,6 +92,7 @@ func TestController(t *testing.T) {
 		Services:         []string{"k8s-tcp", "k8s-udp"},
 		GroupName:        "",
 		LogSettingName:   "",
+		DestinationZones: []string{"test"},
 	}
 	controller := NewController(ctx, client, conf)
 
@@ -116,7 +117,8 @@ func TestController(t *testing.T) {
 
 	sec, err := client.InwinstackV1().Securities("default").Get(name, metav1.GetOptions{})
 	assert.Equal(t, ip.Status.Address, sec.Spec.DestinationAddresses[0])
-	assert.Equal(t, []string{"k8s-tcp", "k8s-udp"}, sec.Spec.Services)
+	assert.Equal(t, conf.Services, sec.Spec.Services)
+	assert.Equal(t, conf.DestinationZones, sec.Spec.DestinationZones)
 
 	// Test onDelete
 	assert.Nil(t, coreClient.CoreV1().Services("default").Delete("test-svc", nil))